SECURITY POLICY FOR PROCESSING OF PERSONAL DATA AND INSTRUCTIONS FOR MANAGING IT SYSTEM PROCESSING PERSONAL DATA
Implementing the provisions of the Act of 29 August 1997 on the protection of personal data (Journal of Laws from 1997 No. 133, Item 883, as amended), and issued based on the provisions of the Ordinance/Regulations of the Minister of the Interior and Administration of 29 April 2004. (Journal of Laws from 2004 No. 100, Item 1024, as amended) with regard to processing personal data documentation as well as technical and organisational conditions which should be met by devices and information systems used to process personal data to which a set of rules and practical experience is introduced which regulates how to manage, protect and distribute sensitive information that allows the protection of personal data.
General provisions Whenever the document refers to:
- Personal Data Administrator (PDA) - should be understood as Biomol-Med limited liability company
- Data Protection Officer (DPO) - should be understood as Emilia Wojdon
- area of processing should be understood as the buildings, rooms or parts of rooms in which personal data is processed.
- the collection of personal data should be understood as each structured set of personal data available according to specific criteria, regardless of its dispersion or division.
- description of the structure of collection should be understood as a description of personal data files indicating the content of individual information fields including the links between them.
- description of the data flow should be understood as a description of the flow of personal data between collection.
- technical and organisational measures should be understood as technical and organisational measures necessary to ensure confidentiality, integrity and accountability of the processed data.
- security procedures should be understood as procedures aimed at securing the personal data being processed.
Personal Data Administrator
The Personal Data Administrator, in order to ensure the protection of personal data, has appointed the Data Protection Officer.
The Personal Data Officer needs to, in particular:
- Develop and implement a security policy for the processing of personal data including the instructions for the management of the IT system that processes personal data.
- Issue and cancel authorisations to process personal data to persons who are having their data processed.
- Keep records of persons who are authorised to process personal data.
- Keep records of personal data files along with a description of the software used to process them includes the way in which data flows between the systems as well as a description of the security used.
- Keep a description of the structure of the data sets including a description of information fields and links between them.
- Keep records of consent statements for the processing of personal data of persons to whom this data pertains.
- Report data collection which is subject to registration to the Data Protection Authority.
Purpose of data processing
The PDA takes great care to process personal data only to the extent necessary for the purposes for which it is processed and attempts to minimise all processes of personal data processing. The PDA almost always processes your personal data, which consists of personal data such as: name and surname/company name and contact details: address of residence/registered office, correspondence address, telephone number and email address. Other personal data is processed to the extent determined by the specific purpose of the processing, which you will be informed of before purchasing services in connection with the acquisition of your personal data.
Technical and Organisational Measures
In order to protect personal data, the following organisational security measures are being used:
- A security policy as well as instructions for managing the IT system for processing personal data have been developed and implemented.
- Only persons with valid authorisations for processing personal data are allowed to do so.
- Records are kept of persons authorised to process personal data.
- Authorised persons have been trained in the IT security system as well as the protection of personal data.
- Persons who are authorised have submitted a declaration of confidentiality of the personal data being processed.
- The processing of personal data is performed in conditions which protect personal data against unauthorised access.
- The presence of unauthorised persons in the processing are is possible only under the supervision of authorised persons and in conditions which ensure the security of the personal data.
In order to protect personal data, the following organisational security measures are being used:
- The door to the rooms which allows access to the processing area is locked by means of a key.
- The processing area is separated from the remaining rooms by a door with a numeric keypad and an electromagnet that prevents entry to persons who do not know the access code.
- Personal data in paper format is stored in furniture which is locked by means of a key.
- Document and data shredders are available in the processing area.
- Keys, access codes or other security features for the processing areas are issued and revoked by collection of authorised persons.
In order to protect personal data, the following IT and telecommunications hardware security infrastructure is used:
- A UPS is used for the server and/or computers on which personal data is processed.
- Access to computers on which personal data is stored is done by entering a login and password.
- Remote access via the Internet to personal data takes place via an encrypted SSL or VPN connection and requires a login and password.
- An anti-virus system and a firewall are used on computers on which personal data is stored.
Procedures which ensure the security of personal data
Procedure for granting rights to personal data processing:
- Authorisation to process personal data is granted by the DPO.
- Before granting authorisation in order to process personal data, the person is trained in its protection and is familiarised with the security of the information system.
- A person authorised to process personal data signs a non-disclosure agreement (NDA) concerning the personal data to which he/she has access.
Methods and means to secure access to personal data:
- Passwords which grant access to personal data may not be commonly known personal names.
- The authorised person undertakes to keep the password which grant access to personal data confidential as well as to immediately change it in case of disclosure.
- It is forbidden to store the password in plain sight or to pass it on to other people.
- The password is semi-automatically or manually changed every 30 days by authorised persons.
- The password consists of at least 8 characters, containing both uppercase and lowercase letters as well as numbers or special characters.
The procedure for commencing, suspending and terminating work that requires the processing of personal data:
- An authorised person logs into the system or program using a login and password.
- An authorised person is obliged to inform the PDO of any unauthorised login attempts into the system or program if the system or program identifies such attempts.
- An authorised person is obliged to prevent unauthorised persons from access to personal data either displayed on a screen or in paper format.
- A person authorised to process personal data is obliged to run a password protected screen saver or to log out of the system and remove any printouts containing personal data from their desk when temporarily leaving their workplace.
- After finishing work, the authorised person is obliged to log off or turn off the computer and remove any media containing personal data from their desk as well as secure the room against burglary, flooding, fire, etc.
Procedure for creating a backup:
- Depending on the size of the quantitative and capacitive increase it is backed up in intervals which occur not more than 1 day and not less than one month apart.
- Backup copies of personal data in an electronic format may be stored on an external data carrier which is secured in accordance with organisational security.
- The person making the backup copies is obliged to mark them and check the consistency of the data as well as its ability to be opened.
- Backup copies are stored for not less than 1 year and not longer than 5 years.
- After the retention period, backup copies are permanently destroyed or anonymised.
Procedure for storing personal data via printed media and in electronic format:
- Authorised persons are obliged to permanently destroy/delete personal data after the purpose of its processing has been completed.
- It is forbidden to transfer personal data out of the processing area without the consent of the DPO and to ensure at least the same security conditions for the processing ofpersonal data as are applicable in the area of processing.
- Personal data sent electronically outside the processing area should be password protected.
- It is forbidden to hand over data carriers containing personal data to third parties for remedial purposes, donations, etc.
- Carriers of personal data such as:
c. Pendrive/Memory card
d. External hard drive
are stored in a manner in which prevents access to it by unauthorised persons as well as protects it from any damage which may be caused by, for example: flooding, burning, melting, etc.
The procedure for entering and sharing personal data with third parties:
- Every entry and provision of personal data should be made both in accordance with the Law and executive acts as well as this document and on the legal basis.
- Records are kept of data being entered and shared, which specifying in particular:
a. The date of entry
b. Identification of the authorised person entering the data
c. The date of release
d. The entity to whom the data was made available to
e. The scope of the data which is being entered or made available
f. The basis for sharing or entry
Control procedures and personnel training:
- Inspections are performed annually in compliance with the applicable protection of personal data regulations.
- A protocol is drawn up from the inspection, which forms the basis for updating the procedures as well as this document.
- Personnel training is conducted annually to ensure that the personnel are up-to-date with the procedures of personal data protection.
- Before receiving the authorisation every employee is trained individually.
- Any repair or maintenance of computer equipment containing personal data or the premises which constituting the processing area may only take place under the supervision of authorised persons.
After the processing is terminated, the DPO submits a notification of a set of personal data that requires notification and deletion of the collection to the Data Protection Office.
All procedures and rules described in this document are complied with by persons authorised to observe personal data, with particular emphasis on the wellbeing of the concerned persons.
Entrusting the processing of personal data to a third party may be made only by an agreement concluded in writing, with the proviso that the entity meets at least the same security conditions for the processing of personal data as Biomol-Med limited liability company.